Hello, I am running an iptables firewall on an openwrt router I ve got. Which acts as Firewall/gateway and performs NATing for my internal network - debian PCs and android phones.
All good but specific web sites are not loading for the machines that are sitting behind the home router. When attempting on the browser (firefox but tried different ones) the browser stays at `Performing a TLS handshake to bitbucket.org`. wget has similar results: ``` wget https://bitbucket.org --2019-12-09 22:07:32-- https://bitbucket.org/ Resolving bitbucket.org (bitbucket.org)... 18.205.93.0, 18.205.93.1, 18.205.93.2, ... Connecting to bitbucket.org (bitbucket.org)|18.205.93.0|:443... connected. ``` When doing a tcpdump on the router side I can see some initial TCP session establishment and then nothing: ``` tcpdump -vvvi br-lan port 443 | grep bitbucket.org tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes 192.168.2.168.54440 > bitbucket.org.443: Flags [S], cksum 0xb3a3 (correct), seq 2816225641, win 29200, options [mss 1460,sackOK,TS val 15744661 ecr 0,nop,wscale 7], length 0 bitbucket.org.443 > 192.168.2.168.54440: Flags [S.], cksum 0x5c8d (correct), seq 1149625734, ack 2816225642, win 26847, options [mss 1460,sackOK,TS val 4256708721 ecr 15744661,nop,wscale 7], length 0 192.168.2.168.54440 > bitbucket.org.443: Flags [.], cksum 0xf33d (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 15744683 ecr 4256708721], length 0 192.168.2.168.54440 > bitbucket.org.443: Flags [P.], cksum 0x58a5 (correct), seq 1:221, ack 1, win 229, options [nop,nop,TS val 15744684 ecr 4256708721], length 220 bitbucket.org.443 > 192.168.2.168.54440: Flags [.], cksum 0xf211 (correct), seq 1, ack 221, win 219, options [nop,nop,TS val 4256708810 ecr 15744684], length 0 bitbucket.org.443 > 192.168.2.168.54440: Flags [P.], cksum 0x9998 (correct), seq 2897:3668, ack 221, win 219, options [nop,nop,TS val 4256708810 ecr 15744684], length 771 192.168.2.168.54440 > bitbucket.org.443: Flags [.], cksum 0x4e08 (correct), seq 221, ack 1, win 251, options [nop,nop,TS val 15744705 ecr 4256708810,nop,nop,sack 1 {2897:3668}], length 0 ``` Of course doing a wget from the router itself works fine as it also works fine on my desktop if I do dynamic port-forwarding with eg. `ssh -D 1050 router` (and configure of course firefox to use it). I m not sure what might be wrong here tbh. Of course other (most) sites work fine without dynamic forwarding or anything. I am attaching the output of `iptables --list-rules` for whoever is patient enough to read. Any help would be appreciated. -- Regards, Nektarios Katakis
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N forwarding_dmz_rule -N forwarding_lan_rule -N forwarding_rule -N forwarding_wan_rule -N input_dmz_rule -N input_lan_rule -N input_rule -N input_wan_rule -N output_dmz_rule -N output_lan_rule -N output_rule -N output_wan_rule -N reject -N syn_flood -N zone_dmz_dest_ACCEPT -N zone_dmz_forward -N zone_dmz_input -N zone_dmz_output -N zone_dmz_src_ACCEPT -N zone_lan_dest_ACCEPT -N zone_lan_forward -N zone_lan_input -N zone_lan_output -N zone_lan_src_ACCEPT -N zone_wan_dest_ACCEPT -N zone_wan_dest_REJECT -N zone_wan_forward -N zone_wan_input -N zone_wan_output -N zone_wan_src_REJECT -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input -A INPUT -i br-dmz -m comment --comment "!fw3" -j zone_dmz_input -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward -A FORWARD -i br-dmz -m comment --comment "!fw3" -j zone_dmz_forward -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output -A OUTPUT -o br-dmz -m comment --comment "!fw3" -j zone_dmz_output -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN -A syn_flood -m comment --comment "!fw3" -j DROP -A zone_dmz_dest_ACCEPT -o br-dmz -m comment --comment "!fw3" -j ACCEPT -A zone_dmz_forward -m comment --comment "!fw3: Custom dmz forwarding rule chain" -j forwarding_dmz_rule -A zone_dmz_forward -m comment --comment "!fw3: Zone dmz to wan forwarding policy" -j zone_wan_dest_ACCEPT -A zone_dmz_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT -A zone_dmz_forward -m comment --comment "!fw3" -j zone_dmz_dest_ACCEPT -A zone_dmz_input -m comment --comment "!fw3: Custom dmz input rule chain" -j input_dmz_rule -A zone_dmz_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT -A zone_dmz_input -m comment --comment "!fw3" -j zone_dmz_src_ACCEPT -A zone_dmz_output -m comment --comment "!fw3: Custom dmz output rule chain" -j output_dmz_rule -A zone_dmz_output -m comment --comment "!fw3" -j zone_dmz_dest_ACCEPT -A zone_dmz_src_ACCEPT -i br-dmz -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
